9 "github.com/Sirupsen/logrus"
10 "github.com/docker/notary/tuf/data"
11 "github.com/docker/notary/tuf/signed"
12 "github.com/docker/notary/tuf/utils"
15 // ErrValidationFail is returned when there is no valid trusted certificates
16 // being served inside of the roots.json
17 type ErrValidationFail struct {
21 // ErrValidationFail is returned when there is no valid trusted certificates
22 // being served inside of the roots.json
23 func (err ErrValidationFail) Error() string {
24 return fmt.Sprintf("could not validate the path to a trusted root: %s", err.Reason)
27 // ErrRootRotationFail is returned when we fail to do a full root key rotation
28 // by either failing to add the new root certificate, or delete the old ones
29 type ErrRootRotationFail struct {
33 // ErrRootRotationFail is returned when we fail to do a full root key rotation
34 // by either failing to add the new root certificate, or delete the old ones
35 func (err ErrRootRotationFail) Error() string {
36 return fmt.Sprintf("could not rotate trust to a new trusted root: %s", err.Reason)
39 func prettyFormatCertIDs(certs map[string]*x509.Certificate) string {
40 ids := make([]string, 0, len(certs))
41 for id := range certs {
44 return strings.Join(ids, ", ")
48 ValidateRoot receives a new root, validates its correctness and attempts to
49 do root key rotation if needed.
51 First we check if we have any trusted certificates for a particular GUN in
52 a previous root, if we have one. If the previous root is not nil and we find
53 certificates for this GUN, we've already seen this repository before, and
54 have a list of trusted certificates for it. In this case, we use this list of
55 certificates to attempt to validate this root file.
57 If the previous validation succeeds, we check the integrity of the root by
58 making sure that it is validated by itself. This means that we will attempt to
59 validate the root data with the certificates that are included in the root keys
62 However, if we do not have any current trusted certificates for this GUN, we
63 check if there are any pinned certificates specified in the trust_pinning section
64 of the notary client config. If this section specifies a Certs section with this
65 GUN, we attempt to validate that the certificates present in the downloaded root
66 file match the pinned ID.
68 If the Certs section is empty for this GUN, we check if the trust_pinning
69 section specifies a CA section specified in the config for this GUN. If so, we check
70 that the specified CA is valid and has signed a certificate included in the downloaded
71 root file. The specified CA can be a prefix for this GUN.
73 If both the Certs and CA configs do not match this GUN, we fall back to the TOFU
74 section in the config: if true, we trust certificates specified in the root for
75 this GUN. If later we see a different certificate for that certificate, we return
76 an ErrValidationFailed error.
78 Note that since we only allow trust data to be downloaded over an HTTPS channel
79 we are using the current public PKI to validate the first download of the certificate
80 adding an extra layer of security over the normal (SSH style) trust model.
81 We shall call this: TOFUS.
83 Validation failure at any step will result in an ErrValidationFailed error.
85 func ValidateRoot(prevRoot *data.SignedRoot, root *data.Signed, gun string, trustPinning TrustPinConfig) (*data.SignedRoot, error) {
86 logrus.Debugf("entered ValidateRoot with dns: %s", gun)
87 signedRoot, err := data.RootFromSigned(root)
92 rootRole, err := signedRoot.BuildBaseRole(data.CanonicalRootRole)
97 // Retrieve all the leaf and intermediate certificates in root for which the CN matches the GUN
98 allLeafCerts, allIntCerts := parseAllCerts(signedRoot)
99 certsFromRoot, err := validRootLeafCerts(allLeafCerts, gun, true)
100 validIntCerts := validRootIntCerts(allIntCerts)
103 logrus.Debugf("error retrieving valid leaf certificates for: %s, %v", gun, err)
104 return nil, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"}
107 logrus.Debugf("found %d leaf certs, of which %d are valid leaf certs for %s", len(allLeafCerts), len(certsFromRoot), gun)
109 // If we have a previous root, let's try to use it to validate that this new root is valid.
110 havePrevRoot := prevRoot != nil
112 // Retrieve all the trusted certificates from our previous root
113 // Note that we do not validate expiries here since our originally trusted root might have expired certs
114 allTrustedLeafCerts, allTrustedIntCerts := parseAllCerts(prevRoot)
115 trustedLeafCerts, err := validRootLeafCerts(allTrustedLeafCerts, gun, false)
117 return nil, &ErrValidationFail{Reason: "could not retrieve trusted certs from previous root role data"}
120 // Use the certificates we found in the previous root for the GUN to verify its signatures
121 // This could potentially be an empty set, in which case we will fail to verify
122 logrus.Debugf("found %d valid root leaf certificates for %s: %s", len(trustedLeafCerts), gun,
123 prettyFormatCertIDs(trustedLeafCerts))
125 // Extract the previous root's threshold for signature verification
126 prevRootRoleData, ok := prevRoot.Signed.Roles[data.CanonicalRootRole]
128 return nil, &ErrValidationFail{Reason: "could not retrieve previous root role data"}
130 err = signed.VerifySignatures(
131 root, data.BaseRole{Keys: utils.CertsToKeys(trustedLeafCerts, allTrustedIntCerts), Threshold: prevRootRoleData.Threshold})
133 logrus.Debugf("failed to verify TUF data for: %s, %v", gun, err)
134 return nil, &ErrRootRotationFail{Reason: "failed to validate data with current trusted certificates"}
136 // Clear the IsValid marks we could have received from VerifySignatures
137 for i := range root.Signatures {
138 root.Signatures[i].IsValid = false
142 // Regardless of having a previous root or not, confirm that the new root validates against the trust pinning
143 logrus.Debugf("checking root against trust_pinning config", gun)
144 trustPinCheckFunc, err := NewTrustPinChecker(trustPinning, gun, !havePrevRoot)
146 return nil, &ErrValidationFail{Reason: err.Error()}
149 validPinnedCerts := map[string]*x509.Certificate{}
150 for id, cert := range certsFromRoot {
151 logrus.Debugf("checking trust-pinning for cert: %s", id)
152 if ok := trustPinCheckFunc(cert, validIntCerts[id]); !ok {
153 logrus.Debugf("trust-pinning check failed for cert: %s", id)
156 validPinnedCerts[id] = cert
158 if len(validPinnedCerts) == 0 {
159 return nil, &ErrValidationFail{Reason: "unable to match any certificates to trust_pinning config"}
161 certsFromRoot = validPinnedCerts
163 // Validate the integrity of the new root (does it have valid signatures)
164 // Note that certsFromRoot is guaranteed to be unchanged only if we had prior cert data for this GUN or enabled TOFUS
165 // If we attempted to pin a certain certificate or CA, certsFromRoot could have been pruned accordingly
166 err = signed.VerifySignatures(root, data.BaseRole{
167 Keys: utils.CertsToKeys(certsFromRoot, validIntCerts), Threshold: rootRole.Threshold})
169 logrus.Debugf("failed to verify TUF data for: %s, %v", gun, err)
170 return nil, &ErrValidationFail{Reason: "failed to validate integrity of roots"}
173 logrus.Debugf("root validation succeeded for %s", gun)
174 // Call RootFromSigned to make sure we pick up on the IsValid markings from VerifySignatures
175 return data.RootFromSigned(root)
178 // validRootLeafCerts returns a list of possibly (if checkExpiry is true) non-expired, non-sha1 certificates
179 // found in root whose Common-Names match the provided GUN. Note that this
180 // "validity" alone does not imply any measure of trust.
181 func validRootLeafCerts(allLeafCerts map[string]*x509.Certificate, gun string, checkExpiry bool) (map[string]*x509.Certificate, error) {
182 validLeafCerts := make(map[string]*x509.Certificate)
184 // Go through every leaf certificate and check that the CN matches the gun
185 for id, cert := range allLeafCerts {
186 // Validate that this leaf certificate has a CN that matches the exact gun
187 if cert.Subject.CommonName != gun {
188 logrus.Debugf("error leaf certificate CN: %s doesn't match the given GUN: %s",
189 cert.Subject.CommonName, gun)
192 // Make sure the certificate is not expired if checkExpiry is true
193 // and warn if it hasn't expired yet but is within 6 months of expiry
194 if err := utils.ValidateCertificate(cert, checkExpiry); err != nil {
195 logrus.Debugf("%s is invalid: %s", id, err.Error())
199 validLeafCerts[id] = cert
202 if len(validLeafCerts) < 1 {
203 logrus.Debugf("didn't find any valid leaf certificates for %s", gun)
204 return nil, errors.New("no valid leaf certificates found in any of the root keys")
207 logrus.Debugf("found %d valid leaf certificates for %s: %s", len(validLeafCerts), gun,
208 prettyFormatCertIDs(validLeafCerts))
209 return validLeafCerts, nil
212 // validRootIntCerts filters the passed in structure of intermediate certificates to only include non-expired, non-sha1 certificates
213 // Note that this "validity" alone does not imply any measure of trust.
214 func validRootIntCerts(allIntCerts map[string][]*x509.Certificate) map[string][]*x509.Certificate {
215 validIntCerts := make(map[string][]*x509.Certificate)
217 // Go through every leaf cert ID, and build its valid intermediate certificate list
218 for leafID, intCertList := range allIntCerts {
219 for _, intCert := range intCertList {
220 if err := utils.ValidateCertificate(intCert, true); err != nil {
223 validIntCerts[leafID] = append(validIntCerts[leafID], intCert)
230 // parseAllCerts returns two maps, one with all of the leafCertificates and one
231 // with all the intermediate certificates found in signedRoot
232 func parseAllCerts(signedRoot *data.SignedRoot) (map[string]*x509.Certificate, map[string][]*x509.Certificate) {
233 if signedRoot == nil {
237 leafCerts := make(map[string]*x509.Certificate)
238 intCerts := make(map[string][]*x509.Certificate)
240 // Before we loop through all root keys available, make sure any exist
241 rootRoles, ok := signedRoot.Signed.Roles[data.CanonicalRootRole]
243 logrus.Debugf("tried to parse certificates from invalid root signed data")
247 logrus.Debugf("found the following root keys: %v", rootRoles.KeyIDs)
248 // Iterate over every keyID for the root role inside of roots.json
249 for _, keyID := range rootRoles.KeyIDs {
250 // check that the key exists in the signed root keys map
251 key, ok := signedRoot.Signed.Keys[keyID]
253 logrus.Debugf("error while getting data for keyID: %s", keyID)
257 // Decode all the x509 certificates that were bundled with this
259 decodedCerts, err := utils.LoadCertBundleFromPEM(key.Public())
261 logrus.Debugf("error while parsing root certificate with keyID: %s, %v", keyID, err)
265 // Get all non-CA certificates in the decoded certificates
266 leafCertList := utils.GetLeafCerts(decodedCerts)
268 // If we got no leaf certificates or we got more than one, fail
269 if len(leafCertList) != 1 {
270 logrus.Debugf("invalid chain due to leaf certificate missing or too many leaf certificates for keyID: %s", keyID)
273 // If we found a leaf certificate, assert that the cert bundle started with a leaf
274 if decodedCerts[0].IsCA {
275 logrus.Debugf("invalid chain due to leaf certificate not being first certificate for keyID: %s", keyID)
279 // Get the ID of the leaf certificate
280 leafCert := leafCertList[0]
282 // Store the leaf cert in the map
283 leafCerts[key.ID()] = leafCert
285 // Get all the remainder certificates marked as a CA to be used as intermediates
286 intermediateCerts := utils.GetIntermediateCerts(decodedCerts)
287 intCerts[key.ID()] = intermediateCerts
290 return leafCerts, intCerts